Data breach report stirs security pot

Related Links

Now that an unflattering report detailing data loss in 19 major agencies is public, House Government Reform chairman Tom Davis (R-Va.) is calling for action from the administration and Congress.

The recent committee staff report revealed that some agencies were clueless as to what happens to personal data in their care. The vast majority of data breaches arose from physical theft of notebook PCs, drives and disks, or from unauthorized use of data by employees, the report said.

Davis said that next he will take a closer look at agencies with the most widespread breaches.

'I'm also intent on reaching out again to those agencies that reported few or no incidents. I'm wondering if they simply lack the means to know if sensitive information's been compromised,' Davis said.

The Office of Management and Budget needs to act more decisively to help agencies secure data, he added.

'OMB should begin by clarifying and strengthening their guidance,' Davis said.OMB, meanwhile, is contemplating its next move.

'We appreciate the recent input of the House Government Reform Committee and the inspectors general. We're reviewing these two reports and will use them to inform our thinking on potential next steps,' said an OMB spokeswoman.

OMB has provided some guidance to agencies to safeguard personal information since the May theft of a notebook PC, containing data belonging to millions of veterans, from the home of a Veterans Affairs Department employee.

Davis plans to work with OMB to strengthen agency guidance while also pushing through Congress legislation that makes that guidance a requirement in addition to other steps.

The House recently passed the Veterans Identity and Credit Security Act of 2006, which includes legislation that Davis authored. The bill would strengthen federal security requirements and provide for notification. Davis will offer his legislation as a standalone bill if the Senate does not pass the VA security bill when Congress returns next month, he said.

'Whether the legislation is part of the VA bill or separate, I think there's consensus that these are steps we need to take, and take now,' Davis said.Davis worked with Veterans Affairs chairman Steve Buyer (R-Ind.) to craft the security bill. Buyer is negotiating with the Senate on the bill, a committee spokeswoman said.

As the committee staff report proved and VA found in its own experience, it is important that agencies inventory all their IT systems to assess what data is at risk and what safeguards must be imposed, Buyer said.

'Agencies need to empower the CIO with authority and responsibility to ensure data security compliance,' he said.

Following the flood of security breaches this year, Davis and ranking Democrat Henry Waxman (D-Calif.) sought summaries from major agencies of data breaches in the past three years to provide a governmentwide snapshot of data risk.

Federal contractors were responsible for many of the data breaches that agencies reported, the report said. Davis wants to reaffirm that the Federal Information Security Management Act applies to contractors.

'If necessary, we can amend FISMA to make this even more apparent and effective,' he said.